IAM存储桶策略允许跨帐户Lambda函数写入S3

时间:2015-12-11 22:55:47

标签: amazon-s3 amazon-iam aws-lambda

我很难搞清楚如何完成这项工作。我们的客户端运行Lambda函数来生成要写入存储桶的数据。 Lambda承担了一个角色,因此(我认为)我们允许客户端整个帐户访问存储桶的所有尝试仍然会导致AccessDenied错误。

在查看我们的日志时,我看到为STS假定角色返回了AccessDenied。但是,S3控制台不允许我为通配符Principal添加策略,并且假定角色的会话ID会更改每个会话。

我从稀疏文档中猜到,我们需要为lambda.amazonaws.com服务提供信任关系。但我无法在任何地方找到任何关于如何限制只从特定Lambda函数或帐户访问的文档。

我希望有类似的东西,但对委托人有进一步的限制,以便任何帐户或Lambda函数都无法访问它。

{
    "Version": "2012-10-17",
    "Id": "Policy11111111111111",
    "Statement": [
        {
            "Sid": "Stmt11111111111111",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "lambda.amazonaws.com"
                ]
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::bucket-name-here/*",
                "arn:aws:s3:::bucket-name-here"
            ]
        }
    ]
}

更新

这项政策甚至不起作用。它仍然返回一个AccessDenied。日志中列出的用户采用arn:aws:sts::111111222222:assumed-role/role-name/awslambda_333_201512111822444444

的形式

因此,我甚至不知道如何让Lambda函数写入S3存储桶。

2 个答案:

答案 0 :(得分:2)

我们最终在IAM团队的帮助下解决了这个问题。

IAM角色继承帐户的任何权限,因此他们需要明确分配给Lambda脚本assumed role的权限。

在我们的示例中,Lambda脚本还尝试授予目标存储区所有者对复制文件的完全控制权。 Lambda函数假定的角色缺少s3:PutObjectAcl的权限。 在我们添加了权限后,lambda函数开始正常工作。

我们现在正在使用的目标政策是这样的:

{
  "Version": "2012-10-17",
  "Id": "Policy11111111111111",
  "Statement": [
    {
        "Sid": "Stmt11111111111111",
        "Effect": "Allow",
        "Principal": "*",
        "Action": "s3:ListBucket*",
        "Resource": "arn:aws:s3:::bucket-name",
        "Condition": {
            "StringLike": {
                "aws:userid": "ACCOUNT-ID:awslambda_*"
            }
        }
    },
    {
        "Sid": "Stmt11111111111111",
        "Effect": "Allow",
        "Principal": "*",
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::bucket-name/*",
        "Condition": {
            "StringLike": {
                "aws:userid": "ACCOUNT-ID:awslambda_*"
            }
        }
    },
    {
        "Sid": "Stmt11111111111111",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::0000000000000:root"
        },
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::bucket-name"
    },
    {
        "Sid": "Stmt11111111111111",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::0000000000000:root"
        },
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::bucket-name/*"
    }
  ]
}

答案 1 :(得分:0)

To Allow Cross account lambda function to get access of s3 bucket
following policy we need to add to s3 bucket policy externally
{
            "Sid": "AWSLambda",
            "Effect": "Allow",
            "Principal": {
                "Service": "lambda.amazonaws.com",
                "AWS": "arn:aws:iam::<AccountID>:root"
            },
            "Action": "s3:GetObject",
            "Resource": "<AWS_S3_Bucket_ARN>/*"
        }

以下模板将帮助您允许跨帐户Lambda函数访问s3存储桶

Parameters:
  LamdaAccountId:
    Description: AccountId to which allow access
    Type: String
Resources:
  myBucket:
    Type: 'AWS::S3::Bucket'
    Properties: {}
    Metadata:
      'AWS::CloudFormation::Designer':
        id: e5eb9fcf-5fe2-468c-ad54-b9b41ba1926a
  myPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      Bucket: !Ref myBucket
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Sid: Stmt1580304800238
            Action: 's3:*'
            Effect: Allow
            Resource:
              - !Sub 'arn:aws:s3:::${myBucket}/*'
            Principal:
              Service: lambda.amazonaws.com
              AWS:
                - !Sub '${LamdaAccountId}'

相关问题
最新问题